Today (30th April 2020) there was an interesting webinar by Justice B N Srikrishna on the Personal Data Protection Act. A detailed report on the webinar has been provided in www.naavi.org. In the well attended webinar where more than 890 people were on board the Zoom platform which remained perfectly stable, several questions were raised by the participants and due to the paucity of time Justice Srikrishna was not able to answer them. To build the general knowledge base, the questions have been picked up and answered here. I hope it would be useful.
Q 1: What is the punishment under PDPA for illegal transfer of data
Answer: PDPA is basically a legislation to promote proactive compliance of measures that would help in protection of Privacy through “Information Privacy”. It therefore prescribes restrictions on transfer of data outside India. If this is contravened, there could be civil penalties to the extent of 4% of the total worldwide turnover of the data fiduciary or Rs 15 crore which ever is higher. (In case of Government organizations the penalty is limited to Rs 5 crore). No criminal punishment is envisaged for this contravention.
Q 2: What is the punishment for taking data in the name of investigation and sovereignty of India
Answer: Misuse of law by law enforcement and the Government agencies due to political and other influences cannot be fully prevented by law alone. However when the law has provided some powers under certain conditions and it is used in a situation where the conditions are not fulfilled, the act would become an “Unauthorized Action”.
In such cases the law enforcement person or the Government employee however he is can be charged of “Unauthorized Access”, “Unauthorized diminution of the value of the information” which are cognizable offences under ITA 2000 (Information Technology Act 2000) as well as some provisions under IPC. The difficulty of bringing such influential persons to answer the law and the problem of delays tin court proceedings are hurdles for which the system has to take responsibility.
Q3: The Right to be forgotten has been truncated in PDPB compared to GDPR. Why?
The rights provided under PDPB is not truncated compared to GDPR. The Right to Access, Right to Correction, Right to Portability and Right to Forget are all available in Indian law as well as GDPR.
The only distinction is that the “Right to Forget” can be exercised only after clearance from the Adjudicator. This is a welcome step to ensure that criminals donot take advantage to remove the traces of crime and evidence.
Q4: What would be the impact of GDPR on Indian Companies post PDPA?
GDPR applies to personal data collected from the EU region or profiling done in the EU region. PDPA applies to personal data collected from the Indian region or profiling done in Indian region.
Indian law has also recognized the need to provide exemption on specific notification when EU personal data is processed in India by an Indian Data Processor under a contract from the EU Data Controller.
Hence there is no overlapping of GDPR with PDPA.
Q5: How do we cover Data Privacy in the current scenario before the Act becomes effective?
PDPA is conceived as an extension of ITA 2000. Presently there is Section 43A of ITA 2000 which provides obligations to “Body Corporates” to follow “Reasonable Security Practice”. The Reasonable Security Practice includes the best industry practices and the contractual obligations. Now the best industry practice represented as “Due Diligence” covers the entire PDPB. Hence we already have a legal framework to impose penalties under ITA 2000 though we may not have a DPA mechanism or 2% or 4% penalty regime.
ITA 2000 also has provisions under Section 43 linked to Section 66 as well as Section 72A, Section 67C, Section 69, 69A, 69B and 70B all of which impose different responsibilities of data protection which includes personal data protection and covers both civil and criminal penalties.
Hence we already have a law which will get refined and get a better implementation mechanism after PDPB becomes PDPA
Q 6: Would Targeted Ads on Social Media Sites is “Breach of Privacy”?
Privacy is breached when personal information of a data subject is used without his consent. Targetted Ads is an indication that the profile of the individual has been created by the advertiser.
It is possible that the profile might have been created out of information shared by the individual with consent. Alternatively the profiling might have been accidental or related to the environment.
For example, if a person visits open the Zomato app, and an advertisement of a restaurant appears, it is because the Zomato environment has been branded as a place visited by some body who is on the look out for a hotel.
If however the individual is on twitter discussing politics but he gets an ad related to a computer which he had explored for purchasing on Amazon yesterday, there is an indication that Amazon has shared the information to the ad serving company.
Perhaps Amazon has already taken the “Implied Consent” of the individual as part of the terms and conditions. If we donot like it, we can check back on the terms of Amazon and decide whether you should continue to use Amazon or not.
When it comes to applying data protection laws, apart from checking on the consent, we need to check what harm has been committed in the process other than the ad being shown (as long as it is not obscene or inducing disharmony etc).
Q 7: What is the difference between the Data Fiduciary and the Data Processor?
Both the Data Fiduciary and the Data Processor, undertake activities of “Processing” which may include collection, storing, transmission, aggregation etc. But the Data Processor does not take an independent decision on the “Purpose” and “Means of Processing”. Data Fiduciary decides what to do with the personal data and how it has to be processed. In most cases, the personal data is collected by the Data Fiduciary after obtaining the consent since he known the purpose of collection. Occassionally, he may engage the services of another (Data Processor) who collects the personal data based on the consent requirement that is mandated by the Data Fiduciary.
As long as the Data Processor remains a faithful follower of the Contract of Processing, he remains a Data Processor. If he starts using his discretion, he would be taking on the role of a “Co-Data Fiduciary”.
Law makes Data Fiduciary mostly responsible for following the data protection principals, honouring the data principal’s rights, security etc. because he is responsible for the way data is processed. The Data Processor is mainly responsible for security and faithful following of the contractual obligations. He does not have a discretion to act as he likes. Hence there is a difference in the liability of the two.
In any practical case, distinguishing the roles is important and often complicated.
Q 8: Why is Password not part of the data protection regime?
Password has been omitted from the list of Sensitive Personal Information. But it is still part of the security that both the Data Fiduciary and the Data Processor are responsible.
Also, India has other means of authentication such as Digital Signatures which are legally recognized while Password is only a business convenience. All authentication methods are part of the Security requirements and passwords alone cannot be added as sensitive, unless all “Access Credentials” by whatever name they are called including “Encryption and Decryption keys” are brought into the higher level of security.
Q 9: If personal data is stored outside India, will there be a Jurisdictional issue?
Yes. It is for this reason that the law enforcement is pressing for “Data Localization” or atleast for a copy of the data to be kept in India.
Data Localization is also an economic benefit to the country as it would boost the data storage industry and the eco system around it.
Presently only sensitive information needs to be retained in India as a copy. Critical data alone is prohibited for transfer. Personal data can be freely transferred.
Q 10: What happens to data stored prior to the act becoming effective
In the absence of any specific direction in this regard from the DPA, it would be necessary for organizations to renew the consent on legacy personal data or purge them.
Q 11: Is a separate law required for Community data?
PDPA covers the law regarding an individual’s personal data. If there is a personal data of a group of persons then that data belongs to all of them jointly and severally. The right should be shared.
What Justice Srikrishna called as “Community data” in the report was data such as Google Maps which were contributed by many individuals but collectively exploited by a commercial entity. He felt that this belongs to the category of “Non Personal Data” but is an aggregation of personal data collection, de-identified to some extent. Such data may also come up in Smart Cities and IoTs.
It would have been possible to include regulation of such data in PDPA but since it may involve other technology related dimensions, perhaps the Srikrishna Committee felt that it was beyond the scope of what the Supreme Court expected a Personal Data Protection act could do.
We can wait and see what Kris Gopalakrishna committee on Data Governance framework may suggest in this regard.
Q 12: There is X company having Co-location data center in India. Will the laws of X Country apply?
This sort of a situation presents a difficult legal proposition. The “Data” is processed in devices physically located in India but it relates to individuals whose “Privacy” or any other right is protected under the laws of that country. Hence both country’s laws have an impact.
PDPA has however tried to overcome this dilemma by making a provision that if personal data of foreign citizens is being processed in India (Whether through servers owned by a foreign entity or an Indian entity), then such facility can be notified as exempt from Indian PDPA. This eases the problem of foreign entities using India for establishing their data centers.
Q 13: What is the Sprinklr Scam?
Sprinklr is a US Company engaged in Data Analytics. Kerala Government used the services to process the data of Covid patients to track the people infected, the progress of the infections in the state etc.
Initially a form was provided on the portal of the Company where information could be entered by the public or the health workers. Later a separate website was opened under a domain name of the Kerala Government in which the form was hosted.
There was also a political objection raised by Congress party in Kerala that the contract was not properly awarded after evaluation and there was some favouritism involved in awarding the contract. The contract was for free for 6 months which could be either considered as a favour done to the Government or that the data was of such value that processing fee was waived.
From the perspective of the Privacy, the absence of proper data protection contract, the possibility of sensitive data being used by a foreign agency, the fact that dispute resolution was subject to the New York Jurisdiction (like many other web based contracts) were raised. The Kerala High Court has given an interim order stating that only “Anonymized” personal data should have been shared and not what the Government did.
More than the “Scam” angle what is relevant is that this case has underscored the need for the PDPA to be made effective as soon as possible so that erring companies face regulatory supervision.
Q 14: What will happen to the Copyright of one data fiduciary when porting is requested?
In the event porting of personal data along with the profile built over the information provided by him involves revealing of any trade secret, the Data Fiduciary can contest the porting in full and also approach the Adjudicator if required.
This problem underscores the need to understand the nature of data and its lifecycle in an organisation and how law may have to be modified in its application at different points of time.
Q 15: Will a consent taken through EULA be valid?
While certain aspects of privacy related consent can be obtained in the EULA, the “Notice” and “Consent” has to be taken in such a manner that the data principal understands the context in which the permissions are asked for and taken.
When sensitive personal information is involved in the processing, explicit consent is necessary. Even in other cases where implicit consent may suffice, taking it through EULA would not provide the appropriate focus to the Privacy protection.
It is therefore recommended that Privacy Notice should be properly highlighted even when taken along with the terms of service and there is no scope for the data principal being confused with extraneous aspects.
Q 16: What happens to the data in a Company which is amalgamated with another Company?
In amalgamations or acquisitions, the entity survives in a new capacity and the data gets transferred like any other property to the amalgamated entity. Acquisitions are therefore a way of buying data if it is a valuable asset.
One classic example is the case of CIBIL which was acquired by TransUnion and was renamed as TransUnion CIBIL. With this acquisition, Transunion which earlier had a share holding of 10% raised its shareholding to 92.1% and in the process 600 million sensitive data sets of Indian Citizens and 32 million data sets of businesses came under the control of the US Company.
At present PDPA does not address such “Data Laundering” directly. In fact Consent is exempted in cases of Credit Scoring for collection of non sensitive data. However the organization like Trans Union CIBIL would be considered as a “Data Fiduciary” and would be subject to the authority of DPA to conduct data audits. The financial data would also be considered as “Sensitive Personal Data” and the company would be considered as a Significant Data Fiduciary.
Q 17: How Would Arogya Setu app reconcile with Privacy?
Arogyasetu is an app floated by the Government to enable tracking of Covid infected patients and preventing them from coming in to close contact with others and spread the infection.
The use of the app as an instrument of public safety would be considered acceptable under the permitted exemption.
The App managers have to however ensure that appropriate consent is obtained, data is properly secured and all compliance measures envisaged under the Act are followed.
Q 18: Government often uses Drones for maintaining public peace and in the process the Drones capture images of people in the street and inside the houses. Does it affect Privacy.
Use of Drones for maintaining vigilance to control riots and to otherwise manage public safety is an exempted use from Privacy Perspective. Normally Drone would capture images from public space and hence privacy may not be involved. However if any pictures capture within the private property, it may be considered as ” Incidental to the main purpose of keeping vigilance on public street”
Also if a criminal runs away from public space and hides inside a private premises, the doctrine of hot chase should apply to track him and bring him out.
These incidents are special incidents and law has to be treated them as such.
Q 19: When is “Deletion of Data” required under PDPA
Personal data which was collected for a specific purpose should be deleted after the purpose is over. Similarly the Data Principal has a right to demand deletion of data for the purpose of correction and in exercise of his rights of portability and right to forget. Right to forget is however subject to mandatory Adjudication.
Q 20: When does the Breach of Privacy occur?… At the time of collection? or at the time of its use?
Since the law prescribes that personal data shall be collected under a consent, used for a specific purpose etc., breach of the law of privacy can occur at both occassions.
Q 21: Why is it necessary that personal data has to be given to every telephone operator when a data principal wants to open accounts with each of them? Can there not be a centralized data center?
Presently RBI is trying to set up a Centralized KYC system for Banks. Similar system can be used by telecom operators. Besides PDPA has a provision of a “Consent Manager” who can act as a centralized repository of personal data and prevent data duplication and associated multiplicity of risks.
Q 22: Mobile Apps often misuse the permissions given at the time of downloading by taking permission for purposes that are irrelevant. Does PDPA address this.
Mobile App owners are data fiduciaries under PDPA and are bound by all compliance measures envisaged under the Act. This includes purpose specific and purpose limited collection of information. If this is violated fines can be levied at 2% pr 4% of global turnover. The DPA will have power to conduct its own audit. In case of popular Apps, DPA may declare it as a “Significant Data Fiduciary” and an annual data audit from an external data auditor could be mandatory. The Data Principals can also make a complaint directly to the DPA. While the sheer number of Apps may pose their own challenges, there are adequate measures to prevent misuse of permissions at least in case of popular Apps.
Q 23: If some one steals a mobile phone and data from the phone, is it an offence?
Such offences are already covered under Information Technology Act 2000. What PDPA does is to add penalties to the companies who manage Apps through which personal data is collected and misused when not required for the purpose of the App.
Q 24: Is there any time limit for storage of data in the Bill?
The time limits would be specified through regulations from DPA. Until then it would be guided by the purpose of collection and the legitimate interest of the data fiducairy.
Q 25: As per the bill protection is provided only for natural persons. What happens in the case of dead persons?
The Personal Data Protection Bill tries to protect the Privacy rights of the citizens of India through pro-active measures to be taken by organizations which collect and process personal information. Hence it is limited to natural persons.
The concept of privacy protection through data protection is being achieved by capturing a choice to the data principal to declare how his/her personal data has to be processed by the person who collects it. This choice is expressed through a document of consent which is like a contract.
Hence in case of a dead person, the Constitutional right such as “Right to Dignified Life and Liberty” ceases to have meaning and there is no way consent of a dead person to considered valid. Hence it is impractical to expect that “Privacy Right” has to be extended to dead persons. Dignity of a dead person in respect of providing a decent cremation etc is not “Privacy”. Secrecy of the affairs of the dead person is also not “Privacy” though it is important for the legal heirs to protect the truth about a dead person becoming public after death.
Hence PDPA as a law to protect Privacy does not address the right of a dead person, though in some other countries like Singapore some rights continue after death for a specific time period.
Some of the service providers like Google or Face Book may consider the information assets of a person in the accounts as some thing which can be revealed to the legal heirs just as the contents of a Bank locker is given to the legal heirs. These are dictated by inheritance rights and not Privacy.
Q 26: When a data fiduciary has transferred the data to a third party data processor and the data principal exercises his right to erasure, how does the data fiduciary manage it?
It is necessary for the data fiduciary to bind the data processors by contract and ensure that at all times the shared data is synchronized not only in cases of deletion but also in cases of correction. This is an essential aspect of compliance.
Q 27: How Will a consent based law work in a country like India where people are illiterate?
The mechanism of Consent Manager is one of the innovative methods that PDPB 2019 has suggested to address such issues.
Q 28: How do we protect recording of telephone calls?
When A is talking to B, a conversation is generated which belongs to both A and B jointly. If either one of them records, it cannot be objected on the grounds of privacy because the data is being disclosed voluntarily.
Only if a third party intercepts the conversation and records, an offence can be recognized and it will be recognized under PDPA for civil compensation and under ITA 2000 for both civil and criminal remedies.
Q 29: Can one use data from someone elses’s phone and use it as evidence?
Yes. Under Indian Evidence Act irrespective of the means of collection of evidence, if it is a fact and has to be produced as evidence, it can be admitted under the relevant procedure such as Section 65B of Indian Evidence Act. If in the process there is any violation of PDPA, then the person should face the consequences parallelly.
Q 30: What would be the time period for implementation of the PDPB?
The Government while passing the Act may specify different time schedule for implementation of different provisions.
(P.S: The views expressed above are the personal views of Naavi based on the interpretation of the current version of the Bill. These could change with the passage of the bill and the issue of clarifications by the Government and/or DPA. Further questions if any can be sent to FDPPI/Naavi)